Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations.
AnalysisAI
Authenticated remote attackers can bypass exec approval mechanisms in OpenClaw npm package versions 2026.2.23 through 2026.4.11 by invoking busybox or toybox multi-call binaries. The vulnerability (CWE-863: Incorrect Authorization) allows attackers to obscure which applet will execute, weakening risk classification for unsafe operations like shell command injection via 'busybox awk BEGIN{system("id")}' or 'toybox ash -c'. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:L) indicates network-accessible exploitation by low-privileged authenticated users. Vendor-released patch available in version 2026.4.12. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond vendor-disclosed commit.
Technical ContextAI
OpenClaw is an npm package (cpe:2.3:a:openclaw:openclaw) that implements exec approval binding to classify and control subprocess invocations. The vulnerability stems from treating busybox and toybox - multi-call binaries where a single executable provides multiple applets via argv[0] or first argument - as safe binaries without recognizing their opaque runtime behavior. Multi-call binaries like 'busybox sh -c payload' or 'toybox awk BEGIN{system()}' can execute arbitrary commands through applets that weren't explicitly approved. CWE-863 (Incorrect Authorization) applies because the approval mechanism failed to enforce intended access restrictions on these interpreter-like wrappers. The fix refactors unwrapArgvForMutableOperand() to track opaqueMultiplexerSeen, treats busybox/toybox as OPAQUE_MUTABLE_SCRIPT_RUNNERS, and fails closed by returning null from resolveMutableFileOperandIndex() when these binaries are detected, preventing unsafe applet invocations from being approved.
RemediationAI
Upgrade to OpenClaw version 2026.4.12 or later (npm install openclaw@2026.4.14 or newer). The fix in commit 666f48d9b882a8a1415ca53f9567c72499d850c9 (PR #65713) treats busybox and toybox as opaque mutable script runners, failing closed when these binaries are invoked rather than attempting to bind individual applets. Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44 and patch at https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9. If immediate upgrade is not feasible, remove busybox and toybox from tools.exec.safeBins configuration to block invocation (side effect: legitimate use of these utilities will be denied), or migrate to explicit allowlist entries specifying exact applet paths (/bin/busybox-awk) rather than the multiplexer binary, though this requires manual mapping of all needed applets and may be operationally complex.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27271
GHSA-2cq5-mf3v-mx44